Outsourcing Notification Obligations for Investment Firms: Key Considerations

Outsourcing is considered material if a failure in execution could significantly impair compliance with legal requirements, financial performance, or the continuity of services.

Not considered material are, for example:

• Staff training,

• Consulting,

• Simple IT services,

• Cleaning or security services.

The decisive factor is always the individual risk assessment.

✍️ 2. Your Duties as a Securities Institution

a) Risk Management & Outsourcing Register

You must implement an effective risk management system that identifies and assesses outsourcing risks.

A comprehensive outsourcing register must be maintained – including both material and non-material outsourcing.

b) Notification and Reporting Obligations

You must report:

• Intention to enter into a material outsourcing,

• Execution of a material outsourcing,

• Material changes,

• Serious incidents.

When and how to notify?

• Via the BaFin MVP portal

• Using web form, XML upload or web service

📄 3. Requirements for Outsourcing Agreements

A good contract is essential:

• A legal representative in Germany must be named for outsourcing to third countries.

• Clearly defined rights and obligations such as:

  • Right to issue instructions

  • Rights to information and audit

  • Termination rights

  • Provisions for data protection and retention

⚠️ 4. Supervisory Powers of BaFin

BaFin may intervene when:

• Proper service delivery is at risk,

• Risks are not adequately managed,

• Audit rights are restricted.

BaFin can issue instructions to you and the service provider.

🚨 5. Other Organisational Requirements

You remain fully responsible! Therefore, you need:

• Ongoing monitoring of the service provider

• Contingency plans and exit strategies

• Regular risk analyses and reviews

📝 6. Overview of Notification Obligations

🌐 7. Special Requirements for Third Countries

If outsourcing to third countries:

• Cooperation agreements with local supervisory authorities may be required

• German legal representative must be designated

• Data protection and access controls must be documented

📊 8. Content of Notification According to WpI-AnzV § 13

Your notification must contain detailed information, including:

• Reference number, contract term, termination periods

• Processes involved, data categories, cloud models and locations

• Materiality assessment, risk evaluation, budget

• Sub-outsourcers, substitutability, contingency planning

In the case of material changes, many of these details must be resubmitted.

🚫 9. What Constitutes a Serious Incident?

Examples include:

• IT outages that disrupt service delivery for extended periods

• Legal violations, especially breaches of data protection laws

• Lack of cooperation with supervisory authorities

• Reputational damage or looming insolvency of the provider

In such cases, you must inform the authorities immediately.

🔹 Conclusion: What You Must Consider

• Only material outsourcing arrangements are subject to notification

• Use the BaFin MVP Portal for all reports

• Maintain a complete outsourcing register with up-to-date risk assessments

• Draft precise contracts, especially for third-country outsourcing

• Plan for emergencies and exit scenarios

• Ensure all documentation is audit-ready and respond promptly to BaFin inquiries